Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
This brief details the use of the legitimate Windows utility `certutil.exe` by various threat actors to download malicious files from public file-sharing and code-hosting websites, facilitating further compromise and evasion on targeted systems.
Threat actors frequently abuse legitimate Windows binaries (Living Off the Land Binaries, or LOLBINs) to evade detection and perform malicious activities, a technique known as "living off the land." One such binary is certutil.exe, typically used for managing certificate services. However, attackers can leverage its built-in functionality, specifically the urlcache and verifyctl commands with the url option, to download arbitrary files from remote locations. This technique is observed in various campaigns, including those by Agent Tesla and Mint Sandstorm, allowing adversaries to download additional malware, tools, or configuration files directly to compromised systems. By using trusted system utilities and common file-sharing platforms like GitHub, Pastebin, and cloud storage services, attackers can blend malicious traffic with legitimate network activity, making detection more challenging for defenders. This specific detection focuses on certutil.exe processes initiating downloads from a broad list of known file-sharing and code-hosting domains.
Impact
The successful exploitation of this technique allows attackers to bypass traditional perimeter defenses and introduce arbitrary payloads onto a compromised system. This can lead to a wide range of detrimental impacts, including the installation of ransomware, data exfiltration tools, keyloggers, or backdoors, ultimately enabling persistent access and further network penetration. The use of LOLBINs like certutil.exe for ingress tool transfer enhances an adversary's ability to remain undetected, increasing the likelihood of successful secondary infections and significant organizational damage, such as financial losses due to ransomware, reputational damage from data breaches, or operational disruption.
Recommendation
- Deploy the
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXESigma rule to your SIEM and tune for your environment to detectcertutil.exeabuse. - Enable comprehensive
process_creationlogging on all Windows endpoints (e.g., via Sysmon) to ensure visibility intocertutil.exeexecutions and their command-line arguments. - Consider implementing network egress filtering or web proxy policies to block or monitor connections to known suspicious file-sharing domains listed in the
iocssection, particularly for non-standard user agents or processes. - Implement application control policies (e.g., AppLocker, Windows Defender Application Control) to restrict the execution of
certutil.exeor other LOLBINs to approved directories or contexts, limiting its abuse potential.
Detection coverage 1
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
highDetects the execution of certutil with specific flags used to download files from common file-sharing or code-hosting websites, a technique often used for ingress tool transfer.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
35
domain
| Type | Value |
|---|---|
| domain | .githubusercontent.com |
| domain | 0x0.st |
| domain | anonfiles.com |
| domain | bashupload.com |
| domain | cdn.discordapp.com |
| domain | chunk.io |
| domain | ddns.net |
| domain | dl.dropboxusercontent.com |
| domain | ghostbin.co |
| domain | github.com |
| domain | glitch.me |
| domain | gofile.io |
| domain | hastebin.com |
| domain | mediafire.com |
| domain | mega.nz |
| domain | onrender.com |
| domain | pages.dev |
| domain | paste.ee |
| domain | pastebin.com |
| domain | pastebin.pl |
| domain | pastetext.net |
| domain | privatlab.com |
| domain | privatlab.net |
| domain | send.exploit.in |
| domain | sendspace.com |
| domain | storage.googleapis.com |
| domain | storjshare.io |
| domain | supabase.co |
| domain | temp.sh |
| domain | transfer.sh |
| domain | trycloudflare.com |
| domain | ufile.io |
| domain | w3spaces.com |
| domain | workers.dev |
| domain | x0.at |